dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
03f37e3c74
nullpoint/README.md
Dominik Roth 03f37e3c74 check out raven
2025-05-13 21:23:55 +02:00

3.0 KiB
Raw Blame History

nullpoint


Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 with focus on Hetzner Infra.

Features

  • Fedora Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • BTRFS RAID1 for data redundancy
  • Dedicated database subvolume with nodatacow and noatime
  • Automated deployment to Hetzner

If you need a dead man's switch to go along with it check out raven.

Security Model

Unlock Methods

The system uses multiple methods to unlock the LUKS volumes:

  1. Primary Method: TPM2 + Tang server
    • TPM2 verifies boot integrity
    • Tang server provides remote unlock capability
    • Both must succeed for automatic unlock
  2. Fallback Method: Manual passphrase
    • Available via SSH before LUKS unlock
    • Uses dropbear for early SSH access
    • Can be used for recovery or maintenance

TPM Updates

After firmware updates (UEFI/BIOS), the TPM bindings need to be updated: (otherwise the system will not be able to boot without recovery phrase)

  1. Use the provided script: sudo /root/update-tpm-bindings.sh
  2. The script will:
    • Show current PCR values
    • Update TPM bindings to match new measurements
    • Verify all bindings are correct
  3. Manual passphrase is available in /root/luks-passphrase.txt if needed

Repository Structure

.
├── build.py             # Build and upload image from build-config
├── deploy.py            # Deployment script for Hetzner from deploy-config
├── MASTER_README.md     # Tang server setup documentation
├── README.md            # Main project documentation
└── requirements.txt     # Python dependencies

Prerequisites

# Install tools
curl -fsSL https://raw.githubusercontent.com/hetznercloud/cli/master/install.sh | bash
go install github.com/hetznercloud/hcloud-upload-image@latest
sudo dnf install -y jq python3-pyyaml libguestfs-tools cloud-image-utils curl

# Configure Hetzner
export HCLOUD_TOKEN="your-token-here"
hcloud ssh-key create --name "fedora-server-hetzner" --public-key "$(cat ~/.ssh/id_ed25519.pub)"

Setup

  1. Configure Build Settings

    cp build-config.yaml.example build-config.yaml
vim build-config.yaml  # Edit LUKS, storage, and image settings

  2. Build Base Image (one-time setup)

    python3 build.py  # Creates and uploads Fedora Server image to Hetzner

  3. Configure Deployment Settings

    cp deploy-config.yaml.example deploy-config.yaml
vim deploy-config.yaml  # Edit server type, location, and hostname settings

  4. Deploy Server

    python3 deploy.py  # Creates new server from base image

  5. Verify

    ssh admin@your-server
systemctl status clevis-luks-askpass
lsblk
btrfs filesystem show  # Check RAID1 status
clevis-luks-list -d /dev/sda2